b'  ARRA WEBSITES VULNERABLE TO\nHACKERS AND CARRY SECURITY RISKS\n\n       Department of Transportation\n\n        Report Number: FI-2011-006\n         Date Issued: 10/22/2010\n\x0c                                                                                               1\n\n\n\n\n           U.S. Department of\n                                                 Memorandum\n           Transportation\n           Office of the Secretary\n           of Transportation\n           Office of Inspector General\n\n\nSubject:   ACTION: Report on ARRA Websites Vulnerable              Date:    October 22, 2010\n           to Hackers and Carry Security Risks\n           Department of Transportation\n           Report Number: FI-2011-006\n\n  From:    Earl C. Hedges                                       Reply to\n                                                                Attn. of:   JA\xe2\x80\x9320\n           Acting Assistant Inspector General for Financial\n            and Information Technology Audits\n\n    To:    Chief Information Officer, DOT\n\n           On February 17, 2009, President Obama signed into law the American Recovery\n           and Reinvestment Act of 2009 (ARRA) in response to the economic crisis facing\n           the nation.     ARRA requires unprecedented levels of transparency and\n           accountability so that taxpayers know where their tax dollars are being spent. To\n           address that requirement, the Department of Transportation (DOT) and its\n           Operating Administrations (OA) deployed various Websites to collect and\n           disseminate ARRA related information. With multiple Websites in play, DOT\'s\n           ARRA program inevitably inherits security risks. In recent years, public Websites\n           have become the target of cyber attacks. For example, hackers launched a\n           malicious denial-of-service attack against DOT\xe2\x80\x99s main Website on July 5, 2009,\n           resulting in the public\'s inability to access DOT information. In addition,\n           vulnerabilities in Web-based technologies could allow attackers to gain\n           unauthorized access to sensitive information stored in agency computers.\n\n           The objective of this audit was to determine if DOT\'s recovery Websites and\n           database systems are properly configured to minimize the risk of cyber attacks.\n           Accordingly, we performed assessments of these Websites and systems to identify\n           vulnerabilities. A detailed description of the scope and methodology used on this\n           audit can be found in exhibit A. We conducted this audit between December 2009\n           and July 2010 in accordance with generally accepted government auditing\n           standards.\n\n\n\n           RESULTS IN BRIEF\n\x0c                                                                                                                    2\n\n\nDOT\'s ARRA-related Websites and databases contain a combination of high-,\nmoderate-, and low-risk vulnerabilities. 1 By exploiting the high-risk\nvulnerabilities, hackers could attack the computers used by the public to access the\nWebsites and gain access to sensitive data, such as password files stored on\nservers, take control of a server and attack other computers on DOT\'s networks.\nThese vulnerabilities exist because the Websites, databases and servers are not\nconfigured in compliance with DOT configuration security standards. For security\nreasons, we are not presenting specific vulnerabilities in this report. However, we\nbriefed department officials on specifics including potential fixes to address our\nrecommendations.\n\nBACKGROUND\nSeven Operating Administrations (OAs) have received over 48 billion dollars in\nARRA stimulus funds, with more than 93 percent of these funds allocated to\nFHWA, FRA and FTA (see Table 1).\n\n                      Table 1. Distribution of ARRA Funds within DOT\n\n                              OA                        Stimulus Funds            Percent of Total\n                                                           (millions)\n              Federal Highway\n                                                                    $27,500                    57.15%\n              Administration (FHWA)\n              Federal Railroad\n                                                                     $9,300                    19.33%\n              Administration (FRA)\n              Federal Transit\n                                                                     $8,400                    17.46%\n              Administration (FTA)\n              Office of the Secretary\n                                                                     $1,500                     3.12%\n              (OST)\n              Federal Aviation\n                                                                     $1,300                     2.70%\n              Administration (FAA)\n              Maritime Administration\n                                                                        $100                    0.21%\n              (MARAD)\n              Office of Inspector General\n                                                                         $20                    0.04%\n              (OIG)\n              Total                                                 $48,120                  100.00%\n            Source: ARRA\n\nARRA outlined two different reporting requirements in order to track the use of\nRecovery funds--Section 1201 and 1512:\n\n\n1\n    High-risk vulnerabilities may provide an attacker with immediate access into a computer system, such as allowing\n    execution of remote commands. Moderate-risk and low-risk vulnerabilities may provide an attacker with useful\n    information, such as error messages revealing system configuration that they can then use to compromise a computer\n    system.\n\x0c                                                                                3\n\n\n   \xe2\x80\xa2 Section 1201 requires agencies to provide periodic reports to Congress,\n     tracking the amounts of Federal funds appropriated, numbers of projects\n     put out to bid, numbers of projects awarded and the amounts awarded,\n     numbers of projects for which work has begun or completed, numbers of\n     jobs created, and aggregate expenditures by each grant recipient.\n\n   \xe2\x80\xa2 Section 1512 requires recipients to submit quarterly reports to the\n     Department identifying the total amount of funds received, the amount of\n     funds obligated, a detailed list of projects for which funds were expended,\n     and detailed information on any sub grants awarded by the grant recipient.\n\n\nIn fulfilling Section 1201 reporting requirements, DOT uses its existing financial\nsystems to compile ARRA data. Five OAs--FHWA, FAA, MARAD, FRA, and\nFTA--have developed internal processes for collecting, storing, and reporting\ninformation on ARRA grant activities to OST. MARAD and FRA report this\ninformation directly through the departmental financial system, Delphi, while\nFHWA, FAA, and FTA use their own grant management systems to process and\nstore data before it is electronically sent to the Delphi system. When the\nDepartment is ready to report on these funds, an extract of the data is populated\ninto an Excel template by OST and emailed to the Recovery Accountability and\nTransparency Board for posting to the Recovery.gov website (see Figure 1).\n\nIn an effort to provide transparency to the public, these OAs post ARRA data to\ntheir individual Websites, and DOT\'s main Recovery Webpage and interactive\nmap Website which displays geographical information on the ARRA projects.\nCurrently, DOT\'s interactive map Website is maintained by the Research and\nInnovative Technology Administration (RITA). Our audit focused on DOT\'s\nrecovery Websites.\n\x0c                                                                                                                        4\n\n\n                      Figure 1. DOT ARRA Reporting Process (Section 1201)\n\n\n\n\n        FHWA                     Connected                                                   Manually Update\n     RASPS System                 to Delphi                                                      Delphi\n\n\n                                    FHWA\n                                                                                                      FRA\n                               Delphi Interface\n                             Management System                                                (1 Grant - AMTRAK)\n\n         FHWA\n      FMIS System\n    (10,000 projects)\n                                                               Delphi                                MARAD\n\n                                                               (financial                      (70 Grants \xe2\x80\x93 Small\n                                      FTA                                                       Shipyards Grant\n                                 ECHO System                 transactions)                         Program)\n\n\n          FTA\n     TEAM System\n     (800 Projects)\n                                                                                Excel template is\n                                     FAA                                     populated and emailed\n                                 SOAR System\n                                 (300 Projects -\n           FAA                Airport Improvement\n      ARRA Database                Program)\n        Collector                                          Recovery.gov\n\n\n    Source: OIG\n\nARRA Websites and Databases Are Vulnerable to Cyber Attacks\n\nThe OAs\' ARRA-related Websites and databases, including the servers on which\nthey are hosted, contain a total of 1,822 high-risk, 3,550 medium-risk, and 3,759\nlow-risk security vulnerabilities (see Table 2). 2      These vulnerabilities exist\nbecause the Websites, servers, and database systems are not configured in\ncompliance with DOT\'s configuration security standards. As a result, the systems\nare vulnerable to cyber attacks which could not only undermine DOT\'s ARRA\nreporting, but also interrupt DOT\'s business operations.\n\n\n\n\n2\n    Due to the software manufacturer\'s use of slightly different definitions for classifications of vulnerability, we\n    combined their "critical" and "high-risk" vulnerabilities into one "high-risk" category, and their "informational" and\n    "low-risk" vulnerabilities into one " low-risk" category.\n\x0c                                                                                                                      5\n\n\n\n                           Table 2. Vulnerability Assessment Results\n\n                                     Number                      Potential Vulnerabilities\n                                     Reviewed                High       Medium           Low\n     Server Level\n     Assessment                           16                    7                  6                   48\n     Website\n     Assessment                           13                 1759                1257                3541\n     Database\n     Assessment                            3                   56                2287                 170\n\n     TOTAL                                32                 1822                3550                3759\n    Source: OIG\n\n\nMost of the high-risk vulnerabilities are associated with 13 Websites, 3 which\ncontain Web pages used to post ARRA-related information for public use. These\nvulnerable Websites could put users\' computers in danger by allowing hackers to\ngain access to the users\' computer and their personal information, thus diminishing\nthe public\'s trust in the Agency. For example, one particular vulnerability, found\non 8 of the 13 Websites, could allow hackers to use the Websites to launch attacks\non users\' computers.\n\nIn addition, we identified high-risk vulnerabilities on the computer servers hosting\nARRA information. 4 Such vulnerabilities could allow attackers to gain access to\nthe ARRA data residing on the servers. By exploiting these vulnerabilities, we\nobtained password and system configuration files from one server. If an inside\nattacker were able to exploit the same vulnerability, he or she could potentially\ncrack the passwords, take control of the server, and do harm, such as introducing\nviruses, to DOT\'s network.\n\nWe also identified several high-risk vulnerabilities on the databases, which could\nresult in damage to the ARRA-related data stored in the databases. For example,\nto facilitate grantees\' collection of information for external reporting, per ARRA\nSection 1512, FHWA implemented a database system known as the Recovery Act\nData System (RADS). We found vulnerability on this database which could be\nexploited to compromise the database\'s server and result in unauthorized access\nallowing modification or destruction of ARRA data. For security reasons, we are\n\n\n3\n    A Website consists of many Web pages that display information for Internet users.\n4\n    These servers include those hosting DOT\'s TIGER Collector system. TIGER Collector was initially developed for\n    OAs to centralize DOT\'s ARRA reporting. However, at the time of our audit, the system was no longer being used\n    by OAs since OAs had found ways of using their own financial systems for ARRA reporting. Although the Web\n    interface of TIGER Collector has been disabled, the two computer servers supporting this system were still active on\n    DOT\'s internal network as of April 6, 2010.\n\x0c                                                                                  6\n\n\nnot presenting specific vulnerabilities in this report. However, we provided\ndetailed information to department officials for immediate corrective actions.\n\nCONCLUSION\nThe Department of Transportation received an additional 48 billion taxpayer\ndollars through ARRA. Not only is DOT responsible for ensuring transparency\nand accountability of ARRA funds so that taxpayers know how these dollars are\nspent, it is also responsible for ensuring that its publicly accessible Websites are\nreasonably secured. DOT\'s ARRA-related Websites, servers and databases,\nhowever, are vulnerable to cyber attacks because they are not configured in\ncompliance with the Department\'s security configuration standards. DOT\nmanagement needs to take immediate corrective actions to minimize the risk of\ncyber attacks on these systems.\n\nRECOMMENDATIONS\nFor security reasons, we are not disclosing the details of the potential fixes we\nprovided to OA officials. Accordingly, we recommend that DOT\'s Chief\nInformation Officer direct OA officials to (1) take immediate actions to correct the\nhigh-risk vulnerabilities found on ARRA-related Websites and databases, and (2)\nensure that the planned corrections of other weaknesses identified during this audit\nare tracked and monitored in the OAs\' Plan of Actions and Milestones (POA&M)\nsystem.\n\nAGENCY COMMENTS AND OFFICE OF INSPECTOR GENERAL\nRESPONSE\n\nWe provided a draft of this report to the DOT Chief Information Officer for\ncomment on August 30, 2010, and received his response on September 30, 2010.\nHe concurred with the two recommendations and discussed appropriate planned\nactions and target completion dates. The response is included in its entirety in\nAppendix A.\n\x0c                                                                                7\n\n\nACTIONS REQUIRED\n\nThe CIO\'s planned actions and target dates are responsive to our\nrecommendations. We consider these recommendations addressed pending\ncompletion of the planned actions. We appreciate the courtesies and cooperation\nof Department of Transportation representatives during this audit. If you have any\nquestions concerning this report, please call me at (410) 962-3612 or Louis King,\nProgram Director, at (202) 366-1407.\n\n                                        #\n\n\n\n\ncc:   Chief Information Officer, FHWA\n      Chief Information Officer, FTA\n      Chief Information Officer, FRA\n      Chief Information Officer, FAA\n      Chief Information Officer, MARAD\n      Chief Information Officer, RITA\n      Martin Gertel, M-1\n\x0c                                                                                   8\n\n\n\nEXHIBIT A. SCOPE AND METHODOLOGY\nWe conducted this audit in accordance with generally accepted government\nauditing standards. Those standards require that we plan and perform the audit\nto obtain sufficient, appropriate evidence to provide a reasonable basis for our\nfinding and conclusion based on our audit objective. We believe that the\nevidence obtained provides a reasonable basis for our finding and conclusion\nbased on our audit objective.\n\nThe audit work was performed from December 2009 to July 2010. We\nsurveyed all Operating Administrations (OA) to collect specific information\nregarding all internal or public facing systems, such as Websites and databases\nthat are related to ARRA reporting. Based on the OAs\' input, we compiled an\ninventory of DOT\'s ARRA-related Websites and database systems. We also\ninterviewed officials from the OAs that received ARRA stimulus funds in order\nto gain an understanding of DOT\'s ARRA reporting process.\n\nTo determine if DOT\'s recovery Websites and database systems are configured\nto minimize the risk of cyber attack, we performed vulnerability assessments on\nthe computer systems, Websites and databases identified in the inventory. We\nperformed the assessment using automated software tools as well as manual\ntesting techniques. We reviewed the results of the scans to determine if the\nsystems were in compliance with DOT\'s security configuration standards.\n\n\n\n\nExhibit A. Scope and Methodology\n\x0c                                                                     9\n\n\n\n\nEXHIBIT B. MAJOR CONTRIBUTORS TO THIS REPORT\n\n\n  Name                                  Title\n\n  Louis King                            Program Director, IT Audit\n\n  Dr. Ping Sun                          Program Director, IT Audit\n                                        Computer Laboratory\n\n  Michael Marshlick                     Project Manager\n\n  Vasily Gerasimov                      Computer Scientist\n\n  Atul Darooka                          Information Technology\n                                        Specialist\n\n  Susan Neill                           Writer-Editor\n\n\n\n\nExhibit B. Major Contributors to This Report\n\x0c                              10\n\n\nAPPENDIX A. AGENCY COMMENTS\n\n\n\n\nApendix A: Agency Comments\n\x0c                              11\n\n\nAPPENDIX A. AGENCY COMMENTS\n\n\n\n\nAppendix A: Agency Comments\n\x0c'